Active Market for Healthcare Records Looms As Newest Cyber Threat

Offers to sell patient records with protected health information on the “Dark Web” market represent a new level of threat for healthcare organizations trying to protect health information, offering further monetary inducement to hackers trying to access records.

The addition of a new potential for profiting from hacking could increase the “demand” side of the equation for records, increasing the likelihood of attacks and the need for healthcare organizations to stiffen defenses.

In late June, a hacker known as “The Dark Overlord” reported the theft of nearly 10 million patient medical records from providers and a major insurer and put them on the Dark Web market where hackers conduct buy and sell data taken from a variety of sources. As of this writing, the records have not been sold, and the seller may be having trouble selling the treasure trove of protected health information.

The extent of the data theft has not been verified by outside sources. But what this hacker started—the creation of a new market for patient records—will only expand, cybersecurity professionals believe.

Information from medical records has been available on the Dark Web in the past, according to Mark Turnage, president and CEO at OWL Cybersecurity, which monitors and investigates cyber attacks as well as offering a range of protection and consulting services. However, security pros were stunned by the scope of this data sale—that so many records from multiple healthcare organizations were being openly made available for sale either in mass or in part, with a total value of more than $800,000.

OWL Cybersecurity said the information that is available is unencrypted plain text that includes usernames and passwords, It said the Dark Overlord reported the total includes 48,000 records from a provider in Farmington, Mo.; 210,000 records from a healthcare organization in the Midwest; 397,000 records from a provider in the Atlanta region; 34,000 records from a provider in New York State; and 9.3 million records from an unidentified insurer. Those figures have not been independently verified.

Turnage said that the records were still for available for purchase last week, with no indications that any had been bought. He couldn’t ascribe a reason for the lack of sales, but said buyers might be wary because this is a new character unknown to established criminals.

Hackers on the Dark Web use a Tor web browser to enable anonymous browsing as they search for unprotected data, and Turnage and others believe this is how the Dark Overlord accessed the healthcare information.

The FBI, Secret Service and the National Cybersecurity and Communications Integration Center in the Department of Homeland Security routinely investigate cyber attacks, but do not comment on their investigations, and had no comment on investigations into this incident.

In recent months, ransomware has gained the majority of cyber threat press, but this new threat for data theft raises the new worries for cybersecurity, according to Turnage. It’s clear that the Dark Overlord successfully accessed and stole data, releasing some samples as an example of the information that is available for purchase. “Ransomware blocks access, but this is wholesale theft,” Turnage says. And theft clearly is HIPAA reportable.

However, the hacker also attempted to extort at least one victim to pay ransom as another vehicle for monetizing the haul, says Christos Dimitriadis, PhD, chair of the ISACA board of directors, a trade group previously known as the Information Systems and Control Association.

The mere introduction of malware, which could include ransomware or the outright stealing of data, calls into question the integrity of an organization’s PHI, says David Holtzman, a former HHS Office for Civil Rights official and now an executive at security firm CynergisTek.

Over time, full confirmation of the identities of the organizations that had data stolen should be made public as the theft of protected health information is a HIPAA reportable event. The Dark Overlord released a small sample of records to demonstrate he had them. But the question remains whether The Dark Overlord really has upwards of 10 million records and Turnage of OWL Cybersecurity acknowledges, “No, we really don’t know that.”

Still, the events of late June “are a very strong endorsement that this is how life is going to be,” for healthcare providers and payers, Turnage adds. “We need to take this threat seriously.”

The healthcare industry has seen many different threats to protected health information over the years, including efforts to sell data, particularly from hacked websites. But this targeting of massive amounts of healthcare information directly relating to patients, such as complete medical records, is a new market for hackers, says Chase Cunningham, PhD, head of research and development at Armor Defense, a cloud cybersecurity vendor. “We haven’t seen this before, with real market pricing on validated records.”

Market pricing on the Dark Web in 2016, according to cybersecurity vendor Clearwater Compliance ranges up to $60 per complete medical record.

With this new market comes another new threat. Hackers can go through the records they have stolen, identify healthcare CEOs and other top leaders who have medical records they would not want to see made public, and blackmail them, Cunningham warns.

Despite that scenario and other threats, he doesn’t see the healthcare security environment changing much. The politically correct answer would be to say that security efforts will change drastically with providers and payers locking down their systems and encrypting data to the point where a thief cannot steal data even if he or she gets into the systems. The reality, Cunningham bemoans, is that the theft and sale of data will be an increasing concern that healthcare organizations will need to deal with.

Understaffed and underfinanced healthcare information technology and security units are simply overwhelmed with cyber threats; they mediate one threat and move on to the next, but don’t have the training, manpower or money to go as deep as they may want to or should. They’re just hoping their organizations “don’t end up in the newspapers,” Cunningham says.

After years of work, the banking industry has substantially met the cyber threat but healthcare has not come close, and Cunningham sees a very painful period coming for providers and insurers during the next couple of years. “Healthcare, for cyber security, is 10 to 15 years behind the banking industry.”

However, Dimitriadis of the ISACA sees increasing investment in healthcare security. His organization projects investments of $170 billion and the creation of 2 million new cybersecurity jobs across all industries worldwide by 2020.

Despite the threats in healthcare, many organizations are being reactive rather than creating a cyber-secure environment and are further hampered by a big gap in cybersecurity skills, Dimitriadis says. Healthcare facilities also need to focus beyond technology solutions to work on process solutions. They also could benefit from creating in-house security councils that, among other duties, can address the skills gap.

“You need to find funds to boost skills,” he cautions. “It’s a business matter, not just a technology issue. It’s a matter of staying in business.”